Related Content

"Everyone's susceptible," said psychology professor Christopher Mayhorn, one of the study's authors. "But there's relationships that make some people more susceptible."

Before taking the test, 89 per cent of the group had said they were "confident" in their ability to tell the difference between an authentic email and one sent by a scammer. But when put to the test, just 7.5 per cent of the participants were able to spot all the fake emails. And more than half of the group missed half of the fake emails and deleted at least one authentic email.

Advertisement

Females, people who were overconfident before the test, and people described as introverted were more likely to struggle with distinguishing the emails.

The findings are alarming given the growing personalisation of phishing attacks, in which scammers try to lure personal and proprietary information out of victims by posing as entities such as banks, airlines, stores and government agencies.

In some cases, scammers draw people to open websites or attachments that unleash viruses, keystroke-tracking software or other malware onto a victim's computer.

Mayhorn and the research team are completing several studies to help them produce a tutorial that will teach people about phishing. The project is being funded by the National Security Agency, and Mayhorn said he hopes to release the app late next year.

He noted that training could be more effective than the widening array of software being developed to stem phishing.

"If people get frustrated with those tools, they tend to turn it off," Mayhorn said. "That's why a lot of research in the past has discussed that it's a human problem. As long as there's a human in the loop, something's always going to be exploited."

Existing tutorials also are ineffective because they aren't based on science, Mayhorn said.

"Just like the phishing, it has to target people who are explicitly interested in clicking," he said. "It has to be quick – under 20 minutes, and it has to focus on the things that really need to be learned by that particular individual."

The latest study also found that nearly one in three asked someone else for help when confronted with a potential phishing attack. One in 10 actually contacted law enforcement or the entity supposedly sending the email. About 15 per cent of the undergraduates said they've clicked on a link in a phishing email, with 8 per cent of them saying they ended up with malware on the computer.

Those numbers fall in line with data from email security provider Proofpoint, whose application analyses emails for phishing attacks. Proofpoint said about 10 per cent of people clicked on a phishing link in a recent email pretending to be from the retailer Wal-Mart. What's worrisome is that click-through rate is 10 times more than the one for links in legitimate emails from stores.

In a previous study, North Carolina State University's research team found that Americans are less susceptible than people in India. The Americans were more likely to notice visual clues such as the padlock icon when browsing secure websites. They also looked for misspellings, hovered over links to see what site it would take them to or sought additional information to verify the legitimacy of an online retailer. One caveat in the study was the Indian sample was considerably younger, who tend to be more likely to click on links.

The team's first study found that Americans do pretty well at recognising how phishing works. But one in five respondents said they fell victim to an attack, with many feeling embarrassed or less trusting as a result.

Future studies will assess the susceptibility of other cultures including people in China, and people who work for government agencies.